Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Congress Nears Final Identity Theft Legislation

News analysis: After input from industry, consumer groups and subcommittees, what will Congress spit out? Here's what a final federal law on identity theft would look like if privacy advocates and security experts had their say.

WEBINAR:On-Demand

Since the ChoicePoint headlines in February, the number of reported data breaches of personal information has exploded to the point that the tally now reaches a staggering 50,324,480 records exposed to potential theft and fraud.

The breaches have affected Congress as fertilizer to daylilies, with a new identity-theft law sprouting every few weeks, the most recent of which was introduced into the Senate last week.

The Identity Theft Protection Act, sponsored by Sen. Gordon Smith, R-Ore., and a slate of bipartisan supporters, is a bill that touches on data protection and safeguards, as well as data breach notification.

It joins a bumper crop: the SPY ACT (Securely Protect Yourself Against Cyber-Trespass), the SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) bill, the Internet Spyware Prevention Act, and the ID Theft Notification Bill, to name a few.

Some have passed, while others have withered on the vine but might see their provisions resprout in the Smith/Nelson bill, as the Identity Theft Protection Act is also known.

The act is scheduled for markup on July 28. Markup is expected to be delayed, but after markup, it will likely be the container for provisions from other proposed bills. The question is, after the bill is masticated by industry, consumer groups and committees, what will Congress spit out? If privacy advocates have their say, what will the final federal law look like?

What some privacy advocates most fear is that the product of Congress mulling will be a feeble version of stronger state laws—a feeble version that would then topple more vigorous laws.

"Were very interested to see that the state breach-notification laws—for example, the California state law—is not pre-empted by a weaker standard," said Pam Dixon, executive director of the World Privacy Forum, referring to California SB (Senate Bill) 1386, a law that went into effect in July 2003. The law requires that organizations experiencing security breaches notify those whose records have been exposed.

Its impossible to discern whether Californias law is preventing identity theft, of course, but notification has measurably worked in two areas, according to Joanne McNabb, chief of the California Office of Privacy Protection. First, it gives potential victims of identity theft an early warning so they can take preventive actions such as applying a fraud alert.

The second benefit of a breach-notification law such as Californias is that organizations that have felt its sting have since cleaned up their acts. McNabb cites two examples: The first had to do with blood-donation vans that were losing laptops.

She asked why the vans operators felt the need to collect Social Security numbers, and it turned out that this was an antiquated system left over from the days when most donations were done at hospitals that used the SSN as a patient ID number. The practice was then dropped.

The next example is that of a state agency that lost records when a laptop was stolen from a car trunk. The agency went through notification, but weeks later, another laptop was stolen from the locked trunk of a car.

By this time, however, the agency had gotten its act together and encrypted data on laptops. Thus, it didnt have to notify anybody. "Thats an example of the other benefit of a good breach-notification law," McNabb said. "Its a very strong incentive to apply security measures to protect information."

Thats a strong law, and a good law, at work, and its this strength that privacy experts fear will be lost in whatever federal law comes out of Congress in the coming weeks. "If a federal law isnt at least as strong as a strong state law, were all in trouble," Dixon said.

Insofar as "we" refers to consumers, we might all be in trouble. The Smith/Nelson bill has been booted over to the House Subcommittee on Commerce, Trade and Consumer Protection.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.